Browsed by
Category: Uncategorized

Third Party Software is not a Cathedral, It’s a Bazaar (S03E14)

Third Party Software is not a Cathedral, It’s a Bazaar (S03E14)

David Habusha joins on this weeks episode to discuss the OWASP Top 10 A9: Using components with known vulnerabilities.

He also dives into the Software Composition Analysis (SCA) market.

You can find David on Twitter @davidhabusha

OWASP Top 10 A9

Dependency Check and Dependency Track (S03E13)

Dependency Check and Dependency Track (S03E13)

Steve Springett joins the show to talk Dependency Check and Dependency Track. He also discusses how they can be used to help prevent you from using components with known vulnerabilities.

OWASP Dependency Check

OWASP Dependency Track

You can find Steve on Twitter @stevespringett

The #OWASP Cheat Sheet Project (S03E11)

The #OWASP Cheat Sheet Project (S03E11)

Jim Manico joins on this weeks episode to discuss some of the changes with the OWASP Cheat Sheets and the plans they have for the future of that project. Jim also talks about how they are looking for experts in the field to create or update some of the Cheat Sheets.

You can find Jim on Twitter @manicode

Selling #AppSec Up The Chain (S03E09)

Selling #AppSec Up The Chain (S03E09)

Jim Routh joins the podcast to discuss selling #AppSec up the chain. Jim has built 5 successful software security programs in his career and serves as a CISO now. Jim shares his real-world experience with how to successfully sell #AppSec to senior management (as well as many other pieces of wisdom for running an AppSec program).

You can find Jim on Twitter @jmrouth01

#AppSec Recommendations (S03E08)

#AppSec Recommendations (S03E08)

Chris and Robert go over a plethora of recommendations they have accumulated over their years of experience in the industry.
Chris’s recommendations
1. Book: Agile Application Security: Enabling Security in a Continuous Delivery Pipeline
by Laura Bell (Author),‎ Michael Brunton-Spall (Author),‎ Rich Smith (Author),‎ Jim Bird (Author)
2. Website: Iron Geek
Adrian Crenshaw records many major, non-commercial security conferences and posts the talks to Youtube
3. Book: The DevOps Handbook: How to Create World-Class Agility, Reliability, and Security in Technology Organizations
by Gene Kim  (Author),‎ Patrick Debois  (Author),‎ John Willis (Author),‎ Jez Humble  (Author)
 4. News Source: The Register
News site, but has great sources and a bit of British humor attached to technology failures
5. Blog: TechBeacon
6. Book: Threat Modeling: Designing for Security
by Adam Shostack  (Author)
7. Book: The Tangled Web: A Guide to Securing Modern Web Applications
by Michal Zalewski  (Author)
8. Book: Start with Why: How Great Leaders Inspire Everyone to Take Action
by Simon Sinek  (Author)
Not a security book, but a good approach for those trying to change a security culture
Robert’s Recommendations
1. Books by Martin Fowler (Author)
He wrote many books on understanding Architecture.
2. Book: Software Security: Building Security In
by Gary McGraw (Author)
3. Book: Core Software Security: Security at the Source
by James Ransome (Author) and Anmol Misra (Author)
4. Book: Threat Modeling: Designing for Security
by Adam Shostack  (Author)
5. Websites: Troy Hunt
6. Conferences: #AppSec USA, , B-Sides, Source, Converge
7. Website: Google Alerts
Use this to be notified about specific topics you want to learn about.
8. Book: The Checklist Manifesto: How to Get Things Right
by Atul Gawande (Author)
9. Book Securing Systems: Applied Security Architecture and Threat Models
by Brook S. E. Schoenfield (Author)
10. Book: Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis
by Tony UcedaVelez (Author) and Marco M. Morano
Hustle and Flow: Dealing With Burnout in Security (S03E07)

Hustle and Flow: Dealing With Burnout in Security (S03E07)

Magen Wu works through the topic of burnouts and mental health in the world of security. She gives some examples on how to handle this and how to recognize if people around you are burning out.

You can find her on Twitter @infosec_tottie

Additional information on this topic: